# Assembly analysis for override pt 2
# level08
```
objdump -M intel -d level08
objdump -s -j .rodata level08
```
## main
```
4009f0: 55 push rbp
4009f1: 48 89 e5 mov rbp,rsp
4009f4: 48 81 ec b0 00 00 00 sub rsp,0xb0
4009fb: 89 bd 6c ff ff ff mov DWORD PTR [rbp-0x94],edi
400a01: 48 89 b5 60 ff ff ff mov QWORD PTR [rbp-0xa0],rsi
400a08: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
400a11: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
400a15: 31 c0 xor eax,eax
```
Sets up stack frame and allocates 176 bytes for the stack. Store the initial value of edi argc? in `[rbp-0x94]` aka **argc_stack** and rsi argv? in `[rbp-0xa0]` aka **argv_stack**
store 40 in `[rbp-0x8]` aka **count** and clears eax
```
400a17: c6 45 8f ff mov BYTE PTR [rbp-0x71],0xff
400a1b: c7 45 88 ff ff ff ff mov DWORD PTR [rbp-0x78],0xffffffff
400a22: 83 bd 6c ff ff ff 02 cmp DWORD PTR [rbp-0x94],0x2
400a29: 74 1f je 400a4a <main+0x5a>
400a2b: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400a32: 48 8b 10 mov rdx,QWORD PTR [rax]
400a35: b8 57 0d 40 00 mov eax,0x400d57
400a3a: 48 89 d6 mov rsi,rdx
400a3d: 48 89 c7 mov rdi,rax
400a40: b8 00 00 00 00 mov eax,0x0
400a45: e8 e6 fc ff ff call 400730 <printf@plt>
400a4a: ba 6b 0d 40 00 mov edx,0x400d6b
400a4f: b8 6d 0d 40 00 mov eax,0x400d6d
400a54: 48 89 d6 mov rsi,rdx
400a57: 48 89 c7 mov rdi,rax
400a5a: e8 61 fd ff ff call 4007c0 <fopen@plt>
400a5f: 48 89 85 78 ff ff ff mov QWORD PTR [rbp-0x88],rax
400a66: 48 83 bd 78 ff ff ff cmp QWORD PTR [rbp-0x88],0x0
400a6d: 00
400a6e: 75 21 jne 400a91 <main+0xa1>
400a70: b8 7c 0d 40 00 mov eax,0x400d7c
400a75: be 6d 0d 40 00 mov esi,0x400d6d
400a7a: 48 89 c7 mov rdi,rax
400a7d: b8 00 00 00 00 mov eax,0x0
400a82: e8 a9 fc ff ff call 400730 <printf@plt>
400a87: bf 01 00 00 00 mov edi,0x1
400a8c: e8 3f fd ff ff call 4007d0 <exit@plt>
```
Store 0xff in `[rbp-0x71]` aka **currchar**, compare **argc** with 0x2. If it is equal, dont log usage. If not, load **argv_stack[0]** and call `printf("Usage: %s filename", argv[0])`. call `fopen("/backups/.log", "w")`. Move the return value to `[rbp-0x88]` aka **logfile** and compare it with 0. If its not equal, jump to `400a91`. else, `printf("ERROR: Failed to open %s", "/backups/.log");` and `exit(1)`
```
400a91: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400a98: 48 83 c0 08 add rax,0x8
400a9c: 48 8b 10 mov rdx,QWORD PTR [rax]
400a9f: 48 8b 85 78 ff ff ff mov rax,QWORD PTR [rbp-0x88]
400aa6: be 96 0d 40 00 mov esi,0x400d96
400aab: 48 89 c7 mov rdi,rax
400aae: e8 11 fe ff ff call 4008c4 <log_wrapper>
400ab3: ba a9 0d 40 00 mov edx,0x400da9
400ab8: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400abf: 48 83 c0 08 add rax,0x8
400ac3: 48 8b 00 mov rax,QWORD PTR [rax]
400ac6: 48 89 d6 mov rsi,rdx
400ac9: 48 89 c7 mov rdi,rax
400acc: e8 ef fc ff ff call 4007c0 <fopen@plt>
400ad1: 48 89 45 80 mov QWORD PTR [rbp-0x80],rax
400ad5: 48 83 7d 80 00 cmp QWORD PTR [rbp-0x80],0x0
400ada: 75 2d jne 400b09 <main+0x119>
400adc: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400ae3: 48 83 c0 08 add rax,0x8
400ae7: 48 8b 10 mov rdx,QWORD PTR [rax]
400aea: b8 7c 0d 40 00 mov eax,0x400d7c
400aef: 48 89 d6 mov rsi,rdx
400af2: 48 89 c7 mov rdi,rax
400af5: b8 00 00 00 00 mov eax,0x0
400afa: e8 31 fc ff ff call 400730 <printf@plt>
400aff: bf 01 00 00 00 mov edi,0x1
400b04: e8 c7 fc ff ff call 4007d0 <exit@plt>
```
Load **argv_stack[1]** into rdx, call `log_wrapper(logfile, "Starting back up:", argv_stack[1])` and call `fopen(argv_stack[1], "r")`and save the result at `[rbp-0x80]` aka **inputfilestream** . If its not null, jump to `400b09` , if it is, `printf("ERROR: Failed to open %s", argv_stack[1])` and `exit(1)
```
400b09: ba ab 0d 40 00 mov edx,0x400dab
400b0e: 48 8d 45 90 lea rax,[rbp-0x70]
400b12: 48 8b 0a mov rcx,QWORD PTR [rdx]
400b15: 48 89 08 mov QWORD PTR [rax],rcx
400b18: 0f b7 4a 08 movzx ecx,WORD PTR [rdx+0x8]
400b1c: 66 89 48 08 mov WORD PTR [rax+0x8],cx
400b20: 0f b6 52 0a movzx edx,BYTE PTR [rdx+0xa]
400b24: 88 50 0a mov BYTE PTR [rax+0xa],dl
400b27: 48 8d 45 90 lea rax,[rbp-0x70]
400b2b: 48 c7 85 58 ff ff ff mov QWORD PTR [rbp-0xa8],0xffffffffffffffff
400b32: ff ff ff ff
400b36: 48 89 c2 mov rdx,rax
400b39: b8 00 00 00 00 mov eax,0x0
400b3e: 48 8b 8d 58 ff ff ff mov rcx,QWORD PTR [rbp-0xa8]
400b45: 48 89 d7 mov rdi,rdx
400b48: f2 ae repnz scas al,BYTE PTR es:[rdi]
400b4a: 48 89 c8 mov rax,rcx
400b4d: 48 f7 d0 not rax
400b50: 48 8d 50 ff lea rdx,[rax-0x1]
400b54: b8 63 00 00 00 mov eax,0x63
400b59: 48 89 c1 mov rcx,rax
400b5c: 48 29 d1 sub rcx,rdx
400b5f: 48 89 ca mov rdx,rcx
400b62: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400b69: 48 83 c0 08 add rax,0x8
400b6d: 48 8b 00 mov rax,QWORD PTR [rax]
400b70: 48 89 c1 mov rcx,rax
400b73: 48 8d 45 90 lea rax,[rbp-0x70]
400b77: 48 89 ce mov rsi,rcx
400b7a: 48 89 c7 mov rdi,rax
400b7d: e8 ce fb ff ff call 400750 <strncat@plt>
```
Load "./backups/" into `[rbp-0x70]` aka **prefix**, load a buffer at `[rbp-0xa8]` aka **dest** set up args and call `strcpy(dest, prefix)` and `strncat(prefix, argv[1], 99 - strlen(prefix) - 1)`.
```
400b82: 48 8d 45 90 lea rax,[rbp-0x70]
400b86: ba b0 01 00 00 mov edx,0x1b0
400b8b: be c1 00 00 00 mov esi,0xc1
400b90: 48 89 c7 mov rdi,rax
400b93: b8 00 00 00 00 mov eax,0x0
400b98: e8 13 fc ff ff call 4007b0 <open@plt>
400b9d: 89 45 88 mov DWORD PTR [rbp-0x78],eax
400ba0: 83 7d 88 00 cmp DWORD PTR [rbp-0x78],0x0
400ba4: 79 47 jns 400bed <main+0x1fd>
400ba6: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400bad: 48 83 c0 08 add rax,0x8
400bb1: 48 8b 10 mov rdx,QWORD PTR [rax]
400bb4: b8 b6 0d 40 00 mov eax,0x400db6
400bb9: be ab 0d 40 00 mov esi,0x400dab
400bbe: 48 89 c7 mov rdi,rax
400bc1: b8 00 00 00 00 mov eax,0x0
400bc6: e8 65 fb ff ff call 400730 <printf@plt>
400bcb: bf 01 00 00 00 mov edi,0x1
400bd0: e8 fb fb ff ff call 4007d0 <exit@plt>
```
call `open(prefix, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)`. Saves the fd at `[rbp-0x78]` aka **backupfile** and check if greater than 0. If not, ` printf("ERROR: Failed to open %s%s\n", "./backups/", argv_stack[1])` and `exit(1)`. If it is, jump to `400bed` (loop check)
```
400bd5: 48 8d 4d 8f lea rcx,[rbp-0x71]
400bd9: 8b 45 88 mov eax,DWORD PTR [rbp-0x78]
400bdc: ba 01 00 00 00 mov edx,0x1
400be1: 48 89 ce mov rsi,rcx
400be4: 89 c7 mov edi,eax
400be6: e8 15 fb ff ff call 400700 <write@plt>
400beb: eb 01 jmp 400bee <main+0x1fe>
400bed: 90 nop
400bee: 48 8b 45 80 mov rax,QWORD PTR [rbp-0x80]
400bf2: 48 89 c7 mov rdi,rax
400bf5: e8 66 fb ff ff call 400760 <fgetc@plt>
400bfa: 88 45 8f mov BYTE PTR [rbp-0x71],al
400bfd: 0f b6 45 8f movzx eax,BYTE PTR [rbp-0x71]
400c01: 3c ff cmp al,0xff
400c03: 75 d0 jne 400bd5 <main+0x1e5>
```
Call `write(backupfile, currchar, 1)` and jump to `400bee`. at `400bee`, load **inputfielstream** and call `fgets(inputfilestream)` and save result to **currchar**. Compares it with 0xff (EOF). If they are equal, exit the loop.
```
400c05: 48 8b 85 60 ff ff ff mov rax,QWORD PTR [rbp-0xa0]
400c0c: 48 83 c0 08 add rax,0x8
400c10: 48 8b 10 mov rdx,QWORD PTR [rax]
400c13: 48 8b 85 78 ff ff ff mov rax,QWORD PTR [rbp-0x88]
400c1a: be d2 0d 40 00 mov esi,0x400dd2
400c1f: 48 89 c7 mov rdi,rax
400c22: e8 9d fc ff ff call 4008c4 <log_wrapper>
400c27: 48 8b 45 80 mov rax,QWORD PTR [rbp-0x80]
400c2b: 48 89 c7 mov rdi,rax
400c2e: e8 dd fa ff ff call 400710 <fclose@plt>
400c33: 8b 45 88 mov eax,DWORD PTR [rbp-0x78]
400c36: 89 c7 mov edi,eax
400c38: e8 33 fb ff ff call 400770 <close@plt>
400c3d: b8 00 00 00 00 mov eax,0x0
400c42: 48 8b 7d f8 mov rdi,QWORD PTR [rbp-0x8]
400c46: 64 48 33 3c 25 28 00 xor rdi,QWORD PTR fs:0x28
400c4d: 00 00
400c4f: 74 05 je 400c56 <main+0x266>
400c51: e8 ca fa ff ff call 400720 <__stack_chk_fail@plt>
400c56: c9 leave
400c57: c3 ret
```
derefrence **argv_stack[1]** into rdx and call `log_wrapper(logfile, "Finished back up", argv_stack[1])`. close `fclose(inputfilestream)` and `close(backupfile)` and return.
## log_wrapper
```
4008c4: 55 push rbp
4008c5: 48 89 e5 mov rbp,rsp
4008c8: 48 81 ec 30 01 00 00 sub rsp,0x130
4008cf: 48 89 bd e8 fe ff ff mov QWORD PTR [rbp-0x118],rdi
4008d6: 48 89 b5 e0 fe ff ff mov QWORD PTR [rbp-0x120],rsi
4008dd: 48 89 95 d8 fe ff ff mov QWORD PTR [rbp-0x128],rdx
4008e4: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
4008eb: 00 00
4008ed: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
4008f1: 31 c0 xor eax,eax
4008f3: 48 8b 95 e0 fe ff ff mov rdx,QWORD PTR [rbp-0x120]
4008fa: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
400901: 48 89 d6 mov rsi,rdx
400904: 48 89 c7 mov rdi,rax
400907: e8 e4 fd ff ff call 4006f0 <strcpy@plt>
```
Setus up stack and allocates 304 bytes for the stack. Load arg1 at `[rbp-0x118]` aka **logfile**, arg2 at `[rbp-0x120]` aka **string**, arg3 at `[rbp-0x128]` aka **inpfile_path**. write 40 to `[rbp-0x8]` aka **count**. Load a new variable at `[rbp-0x110]` aka **dest**, call `strcpy(dest, string)`.
```
40090c: 48 8b b5 d8 fe ff ff mov rsi,QWORD PTR [rbp-0x128]
400913: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
40091a: 48 c7 85 d0 fe ff ff mov QWORD PTR [rbp-0x130],0xffffffffffffffff
400921: ff ff ff ff
400925: 48 89 c2 mov rdx,rax
400928: b8 00 00 00 00 mov eax,0x0
40092d: 48 8b 8d d0 fe ff ff mov rcx,QWORD PTR [rbp-0x130]
400934: 48 89 d7 mov rdi,rdx
400937: f2 ae repnz scas al,BYTE PTR es:[rdi]
400939: 48 89 c8 mov rax,rcx
40093c: 48 f7 d0 not rax
40093f: 48 8d 50 ff lea rdx,[rax-0x1]
400943: b8 fe 00 00 00 mov eax,0xfe
400948: 49 89 c0 mov r8,rax
40094b: 49 29 d0 sub r8,rdx
40094e: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
400955: 48 c7 85 d0 fe ff ff mov QWORD PTR [rbp-0x130],0xffffffffffffffff
40095c: ff ff ff ff
400960: 48 89 c2 mov rdx,rax
400963: b8 00 00 00 00 mov eax,0x0
400968: 48 8b 8d d0 fe ff ff mov rcx,QWORD PTR [rbp-0x130]
40096f: 48 89 d7 mov rdi,rdx
400972: f2 ae repnz scas al,BYTE PTR es:[rdi]
400974: 48 89 c8 mov rax,rcx
400977: 48 f7 d0 not rax
40097a: 48 8d 50 ff lea rdx,[rax-0x1]
40097e: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
400985: 48 01 d0 add rax,rdx
400988: 48 89 f2 mov rdx,rsi
40098b: 4c 89 c6 mov rsi,r8
40098e: 48 89 c7 mov rdi,rax
400991: b8 00 00 00 00 mov eax,0x0
400996: e8 a5 fd ff ff call 400740 <snprintf@plt>
40099b: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
4009a2: be 4c 0d 40 00 mov esi,0x400d4c
4009a7: 48 89 c7 mov rdi,rax
4009aa: e8 d1 fd ff ff call 400780 <strcspn@plt>
4009af: c6 84 05 f0 fe ff ff mov BYTE PTR [rbp+rax*1-0x110],0x0
```
Prepare arguments to call `snprintf(dest + strlen(dest), 254 - strlen(dest) - 1, inpfile_path)` and then calls `dest[strcspn(dest, "/n")] = 0`
```
4009b7: b9 4e 0d 40 00 mov ecx,0x400d4e
4009bc: 48 8d 95 f0 fe ff ff lea rdx,[rbp-0x110]
4009c3: 48 8b 85 e8 fe ff ff mov rax,QWORD PTR [rbp-0x118]
4009ca: 48 89 ce mov rsi,rcx
4009cd: 48 89 c7 mov rdi,rax
4009d0: b8 00 00 00 00 mov eax,0x0
4009d5: e8 c6 fd ff ff call 4007a0 <fprintf@plt>
4009da: 48 8b 45 f8 mov rax,QWORD PTR [rbp-0x8]
4009de: 64 48 33 04 25 28 00 xor rax,QWORD PTR fs:0x28
4009e5: 00 00
4009e7: 74 05 je 4009ee <log_wrapper+0x12a>
4009e9: e8 32 fd ff ff call 400720 <__stack_chk_fail@plt>
4009ee: c9 leave
4009ef: c3 ret
```
Call `fprintf(logfile, "LOG: %s", dest)` and returns.
# level09
```
objdump -M intel -d level09
objdump -s -j .rodata level09
```
## main
```
aa8: 55 push rbp
aa9: 48 89 e5 mov rbp,rsp
aac: 48 8d 3d 5d 01 00 00 lea rdi,[rip+0x15d] # c10 <_IO_stdin_used+0x58>
ab3: e8 78 fc ff ff call 730 <puts@plt>
ab8: e8 03 fe ff ff call 8c0 <handle_msg>
abd: b8 00 00 00 00 mov eax,0x0
ac2: 5d pop rbp
ac3: c3 ret
```
Load a string and calls
```
puts("--------------------------------------------\n| ~Welcome to l33t-m$n ~ v1337 |\n--------------------------------------------");
```
calls `handle_msg()` and returns 0;
## handle_msg
```
8c0: 55 push rbp
8c1: 48 89 e5 mov rbp,rsp
8c4: 48 81 ec c0 00 00 00 sub rsp,0xc0
8cb: 48 8d 85 40 ff ff ff lea rax,[rbp-0xc0]
8d2: 48 05 8c 00 00 00 add rax,0x8c
8d8: 48 c7 00 00 00 00 00 mov QWORD PTR [rax],0x0
8df: 48 c7 40 08 00 00 00 mov QWORD PTR [rax+0x8],0x0
8e6: 00
8e7: 48 c7 40 10 00 00 00 mov QWORD PTR [rax+0x10],0x0
8ee: 00
8ef: 48 c7 40 18 00 00 00 mov QWORD PTR [rax+0x18],0x0
8f6: 00
8f7: 48 c7 40 20 00 00 00 mov QWORD PTR [rax+0x20],0x0
8fe: 00
8ff: c7 45 f4 8c 00 00 00 mov DWORD PTR [rbp-0xc],0x8c
```
Sets up stack and allocates 192 bytes on the stack. Loads a variable at `[rbp-0xc0]` aka **var1**, increments the pointer to `[rbp-0x34] (c0 - 8c)`, sets `[rbp-0x34]`, `[rbp-0x34+0x8]`, `[rbp-0x34+0x10]`, `[rbp-0x34+0x20]` to 0, and writes 140 to `[rbp-0xc]` aka **num**. Since this is a 64 bit program, a word is 8 bytes so we can assume that `[rbp-0x34]` to `[rbp-0xc]` are contigious zeroes `memset([rbp-0x34], 0, 40)`.
Since the assembly only loaded one address from memory and assigns values relatively, we can also say that they are loading a struct like so
```
struct my_struct {
char msg[0x8c];
char username[0x28];
int msglen;
};
```
```
906: 48 8d 85 40 ff ff ff lea rax,[rbp-0xc0]
90d: 48 89 c7 mov rdi,rax
910: e8 b8 00 00 00 call 9cd <set_username>
915: 48 8d 85 40 ff ff ff lea rax,[rbp-0xc0]
91c: 48 89 c7 mov rdi,rax
91f: e8 0e 00 00 00 call 932 <set_msg>
924: 48 8d 3d 95 02 00 00 lea rdi,[rip+0x295] # bc0 <_IO_stdin_used+0x8>
92b: e8 00 fe ff ff call 730 <puts@plt>
930: c9 leave
931: c3 ret
```
calls `set_username(&var1)` and `set_msg(&var1)` and call `puts(">: Msg sent!")`
## set_username
```
9cd: 55 push rbp
9ce: 48 89 e5 mov rbp,rsp
9d1: 48 81 ec a0 00 00 00 sub rsp,0xa0
9d8: 48 89 bd 68 ff ff ff mov QWORD PTR [rbp-0x98],rdi
9df: 48 8d 85 70 ff ff ff lea rax,[rbp-0x90]
9e6: 48 89 c6 mov rsi,rax
9e9: b8 00 00 00 00 mov eax,0x0
9ee: ba 10 00 00 00 mov edx,0x10
9f3: 48 89 f7 mov rdi,rsi
9f6: 48 89 d1 mov rcx,rdx
9f9: f3 48 ab rep stos QWORD PTR es:[rdi],rax
9fc: 48 8d 3d e1 01 00 00 lea rdi,[rip+0x1e1] # be4 <_IO_stdin_used+0x2c>
a03: e8 28 fd ff ff call 730 <puts@plt>
a08: 48 8d 05 d0 01 00 00 lea rax,[rip+0x1d0] # bdf <_IO_stdin_used+0x27>
a0f: 48 89 c7 mov rdi,rax
a12: b8 00 00 00 00 mov eax,0x0
a17: e8 34 fd ff ff call 750 <printf@plt>
```
Allocates 160 bytes on the stack, loads argument1 **&var1** at `[rbp-0x98]` and loads variable `[rbp-0x90]` aka **temp**. call `memset(temp, 0, 16)` and call
```
puts(">: Enter your username");
printf(">>: ");
```
```
a1c: 48 8b 05 95 15 20 00 mov rax,QWORD PTR [rip+0x201595] # 201fb8 <_DYNAMIC+0x198>
a23: 48 8b 00 mov rax,QWORD PTR [rax]
a26: 48 89 c2 mov rdx,rax
a29: 48 8d 85 70 ff ff ff lea rax,[rbp-0x90]
a30: be 80 00 00 00 mov esi,0x80
a35: 48 89 c7 mov rdi,rax
a38: e8 33 fd ff ff call 770 <fgets@plt>
a3d: c7 45 fc 00 00 00 00 mov DWORD PTR [rbp-0x4],0x0
a44: eb 24 jmp a6a <set_username+0x9d>
a46: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
a49: 48 98 cdqe
a4b: 0f b6 8c 05 70 ff ff movzx ecx,BYTE PTR [rbp+rax*1-0x90]
a52: ff
a53: 48 8b 95 68 ff ff ff mov rdx,QWORD PTR [rbp-0x98]
a5a: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
a5d: 48 98 cdqe
a5f: 88 8c 02 8c 00 00 00 mov BYTE PTR [rdx+rax*1+0x8c],cl
a66: 83 45 fc 01 add DWORD PTR [rbp-0x4],0x1
a6a: 83 7d fc 28 cmp DWORD PTR [rbp-0x4],0x28
a6e: 7f 11 jg a81 <set_username+0xb4>
a70: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
a73: 48 98 cdqe
a75: 0f b6 84 05 70 ff ff movzx eax,BYTE PTR [rbp+rax*1-0x90]
a7c: ff
a7d: 84 c0 test al,al
a7f: 75 c5 jne a46 <set_username+0x79>
a81: 48 8b 85 68 ff ff ff mov rax,QWORD PTR [rbp-0x98]
a88: 48 8d 90 8c 00 00 00 lea rdx,[rax+0x8c]
a8f: 48 8d 05 65 01 00 00 lea rax,[rip+0x165] # bfb <_IO_stdin_used+0x43>
a96: 48 89 d6 mov rsi,rdx
a99: 48 89 c7 mov rdi,rax
a9c: b8 00 00 00 00 mov eax,0x0
aa1: e8 aa fc ff ff call 750 <printf@plt>
aa6: c9 leave
```
Call `fgets(temp, 120, stdin)`, store 0 at a variable at `[rbp-0x4]` aka **count** and jump to `a6a` (loop check)
In `a6a`, **count** is compared to 40. If its greater than 40, or **temp[count]** is not 0, the loop exits.
In the loop at `a44`, do `var1->username[count] = temp[count]` and `++count`
Once the loop exits at `a81`, call `printf(">: Welcome, %s", var1->username)` and return.
## set_msg
```
932: 55 push rbp
933: 48 89 e5 mov rbp,rsp
936: 48 81 ec 10 04 00 00 sub rsp,0x410
93d: 48 89 bd f8 fb ff ff mov QWORD PTR [rbp-0x408],rdi
944: 48 8d 85 00 fc ff ff lea rax,[rbp-0x400]
94b: 48 89 c6 mov rsi,rax
94e: b8 00 00 00 00 mov eax,0x0
953: ba 80 00 00 00 mov edx,0x80
958: 48 89 f7 mov rdi,rsi
95b: 48 89 d1 mov rcx,rdx
95e: f3 48 ab rep stos QWORD PTR es:[rdi],rax
961: 48 8d 3d 65 02 00 00 lea rdi,[rip+0x265] # bcd <_IO_stdin_used+0x15>
968: e8 c3 fd ff ff call 730 <puts@plt>
96d: 48 8d 05 6b 02 00 00 lea rax,[rip+0x26b] # bdf <_IO_stdin_used+0x27>
974: 48 89 c7 mov rdi,rax
977: b8 00 00 00 00 mov eax,0x0
97c: e8 cf fd ff ff call 750 <printf@plt>
981: 48 8b 05 30 16 20 00 mov rax,QWORD PTR [rip+0x201630] # 201fb8 <_DYNAMIC+0x198>
988: 48 8b 00 mov rax,QWORD PTR [rax]
98b: 48 89 c2 mov rdx,rax
98e: 48 8d 85 00 fc ff ff lea rax,[rbp-0x400]
995: be 00 04 00 00 mov esi,0x400
99a: 48 89 c7 mov rdi,rax
99d: e8 ce fd ff ff call 770 <fgets@plt>
9a2: 48 8b 85 f8 fb ff ff mov rax,QWORD PTR [rbp-0x408]
9a9: 8b 80 b4 00 00 00 mov eax,DWORD PTR [rax+0xb4]
9af: 48 63 d0 movsxd rdx,eax
9b2: 48 8d 8d 00 fc ff ff lea rcx,[rbp-0x400]
9b9: 48 8b 85 f8 fb ff ff mov rax,QWORD PTR [rbp-0x408]
9c0: 48 89 ce mov rsi,rcx
9c3: 48 89 c7 mov rdi,rax
9c6: e8 55 fd ff ff call 720 <strncpy@plt>
9cb: c9 leave
9cc: c3 ret
```
Allocate 1040 bytes to the stack, loads argument1 **&var1** at `[rbp-0x408]` and loads variable at `[rbp-0x400]` aka **temp*. Call `memset(temp, 0, 128)` then `puts(">: Msg @Unix-Dude")` and `printf(">>: ")`.
Call `fgets(temp, 1024, stdin)` and `strncpy(var1->message, temp, var1->msglen)` and return.
## secret_backdoor
```
88c: 55 push rbp
88d: 48 89 e5 mov rbp,rsp
890: 48 83 c4 80 add rsp,0xffffffffffffff80
894: 48 8b 05 1d 17 20 00 mov rax,QWORD PTR [rip+0x20171d] # 201fb8 <_DYNAMIC+0x198>
89b: 48 8b 00 mov rax,QWORD PTR [rax]
89e: 48 89 c2 mov rdx,rax
8a1: 48 8d 45 80 lea rax,[rbp-0x80]
8a5: be 80 00 00 00 mov esi,0x80
8aa: 48 89 c7 mov rdi,rax
8ad: e8 be fe ff ff call 770 <fgets@plt>
8b2: 48 8d 45 80 lea rax,[rbp-0x80]
8b6: 48 89 c7 mov rdi,rax
8b9: e8 82 fe ff ff call 740 <system@plt>
8be: c9 leave
8bf: c3 ret
```
Loads a variable at `[rbp-0x80]` aka **cmd** and calls `fgets(cmd, 128, stdin)` and then `system(cmd)`
## notes
7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC
```
b *0x8048866
set disassembly-flavor intel
lay asm
focus cmd
tty /dev/pts/1
run < /tmp/level05
x/10s (char*)(*environ)
x/10x 0x080497e0
```
Sign in with Wallet
Connect another wallet